2022-09-05 09:06:08 +02:00
/ *
Copyright ( c ) Edgeless Systems GmbH
SPDX - License - Identifier : AGPL - 3.0 - only
* /
2022-04-13 13:01:38 +02:00
package cloudcmd
import (
"context"
2023-02-27 18:19:52 +01:00
"errors"
2022-04-13 13:01:38 +02:00
"fmt"
"io"
2022-10-05 09:11:30 +02:00
"net/url"
"os"
2022-12-07 11:48:54 +01:00
"path"
2022-10-13 17:38:38 +02:00
"regexp"
2022-09-26 15:52:31 +02:00
"runtime"
2022-10-05 09:11:30 +02:00
"strings"
2022-04-13 13:01:38 +02:00
2022-10-05 09:11:30 +02:00
"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
2023-09-25 16:19:43 +02:00
"github.com/edgelesssys/constellation/v2/cli/internal/state"
2022-09-26 15:52:31 +02:00
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
2022-09-21 13:47:57 +02:00
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
2023-05-23 09:17:27 +02:00
"github.com/edgelesssys/constellation/v2/internal/imagefetcher"
2022-04-13 13:01:38 +02:00
)
// Creator creates cloud resources.
type Creator struct {
2022-09-27 09:22:29 +02:00
out io . Writer
2022-11-22 18:47:08 +01:00
image imageFetcher
2023-08-04 13:53:51 +02:00
newTerraformClient func ( ctx context . Context , workspace string ) ( tfResourceClient , error )
2022-10-05 09:11:30 +02:00
newLibvirtRunner func ( ) libvirtRunner
2022-11-22 18:47:08 +01:00
newRawDownloader func ( ) rawDownloader
2023-06-02 10:47:44 +02:00
policyPatcher policyPatcher
2022-04-13 13:01:38 +02:00
}
// NewCreator creates a new creator.
func NewCreator ( out io . Writer ) * Creator {
return & Creator {
2022-11-22 18:47:08 +01:00
out : out ,
2023-05-23 09:17:27 +02:00
image : imagefetcher . New ( ) ,
2023-08-04 13:53:51 +02:00
newTerraformClient : func ( ctx context . Context , workspace string ) ( tfResourceClient , error ) {
return terraform . New ( ctx , workspace )
2022-04-13 13:01:38 +02:00
} ,
2022-10-05 09:11:30 +02:00
newLibvirtRunner : func ( ) libvirtRunner {
return libvirt . New ( )
} ,
2022-11-22 18:47:08 +01:00
newRawDownloader : func ( ) rawDownloader {
2023-05-23 09:17:27 +02:00
return imagefetcher . NewDownloader ( )
2022-11-22 18:47:08 +01:00
} ,
2023-06-02 10:47:44 +02:00
policyPatcher : NewAzurePolicyPatcher ( ) ,
2022-04-13 13:01:38 +02:00
}
}
2023-04-14 14:15:07 +02:00
// CreateOptions are the options for creating a Constellation cluster.
type CreateOptions struct {
2023-08-04 13:53:51 +02:00
Provider cloudprovider . Provider
Config * config . Config
TFWorkspace string
image string
TFLogLevel terraform . LogLevel
2023-04-14 14:15:07 +02:00
}
2022-04-13 13:01:38 +02:00
// Create creates the handed amount of instances and all the needed resources.
2023-09-25 16:19:43 +02:00
func ( c * Creator ) Create ( ctx context . Context , opts CreateOptions ) ( state . Infrastructure , error ) {
2023-05-23 09:17:27 +02:00
provider := opts . Config . GetProvider ( )
attestationVariant := opts . Config . GetAttestationConfig ( ) . GetVariant ( )
region := opts . Config . GetRegion ( )
image , err := c . image . FetchReference ( ctx , provider , attestationVariant , opts . Config . Image , region )
2022-11-22 18:47:08 +01:00
if err != nil {
2023-09-25 16:19:43 +02:00
return state . Infrastructure { } , fmt . Errorf ( "fetching image reference: %w" , err )
2022-11-22 18:47:08 +01:00
}
2023-04-14 14:15:07 +02:00
opts . image = image
2022-11-22 18:47:08 +01:00
2023-08-04 13:53:51 +02:00
cl , err := c . newTerraformClient ( ctx , opts . TFWorkspace )
2023-07-21 10:04:29 +02:00
if err != nil {
2023-09-25 16:19:43 +02:00
return state . Infrastructure { } , err
2023-07-21 10:04:29 +02:00
}
defer cl . RemoveInstaller ( )
2023-09-25 17:10:23 +02:00
var infraState state . Infrastructure
2023-04-14 14:15:07 +02:00
switch opts . Provider {
2022-10-21 12:24:18 +02:00
case cloudprovider . AWS :
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err = c . createAWS ( ctx , cl , opts )
2022-04-13 13:01:38 +02:00
case cloudprovider . GCP :
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err = c . createGCP ( ctx , cl , opts )
2022-04-13 13:01:38 +02:00
case cloudprovider . Azure :
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err = c . createAzure ( ctx , cl , opts )
2023-02-27 18:19:52 +01:00
case cloudprovider . OpenStack :
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err = c . createOpenStack ( ctx , cl , opts )
2022-09-26 15:52:31 +02:00
case cloudprovider . QEMU :
2022-09-27 09:22:29 +02:00
if runtime . GOARCH != "amd64" || runtime . GOOS != "linux" {
2023-09-25 16:19:43 +02:00
return state . Infrastructure { } , fmt . Errorf ( "creation of a QEMU based Constellation is not supported for %s/%s" , runtime . GOOS , runtime . GOARCH )
2022-09-27 09:22:29 +02:00
}
2022-10-05 09:11:30 +02:00
lv := c . newLibvirtRunner ( )
2023-04-14 14:15:07 +02:00
qemuOpts := qemuCreateOptions {
source : image ,
CreateOptions : opts ,
}
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err = c . createQEMU ( ctx , cl , lv , qemuOpts )
2022-04-13 13:01:38 +02:00
default :
2023-09-25 16:19:43 +02:00
return state . Infrastructure { } , fmt . Errorf ( "unsupported cloud provider: %s" , opts . Provider )
2022-04-13 13:01:38 +02:00
}
2022-11-15 14:00:44 +01:00
2022-10-21 12:24:18 +02:00
if err != nil {
2023-09-25 16:19:43 +02:00
return state . Infrastructure { } , fmt . Errorf ( "creating cluster: %w" , err )
2022-10-21 12:24:18 +02:00
}
2023-09-25 17:10:23 +02:00
return infraState , nil
2022-10-21 12:24:18 +02:00
}
2023-09-25 17:10:23 +02:00
func ( c * Creator ) createAWS ( ctx context . Context , cl tfResourceClient , opts CreateOptions ) ( tfOutput state . Infrastructure , retErr error ) {
2023-08-02 10:36:55 +02:00
vars := awsTerraformVars ( opts . Config , opts . image )
2022-11-15 14:00:44 +01:00
2023-07-21 10:04:29 +02:00
tfOutput , err := runTerraformCreate ( ctx , cl , cloudprovider . AWS , vars , c . out , opts . TFLogLevel )
2022-10-11 12:24:33 +02:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2022-06-09 22:26:36 +02:00
}
2023-07-21 10:04:29 +02:00
return tfOutput , nil
2022-04-13 13:01:38 +02:00
}
2023-09-25 17:10:23 +02:00
func ( c * Creator ) createGCP ( ctx context . Context , cl tfResourceClient , opts CreateOptions ) ( tfOutput state . Infrastructure , retErr error ) {
2023-08-02 10:36:55 +02:00
vars := gcpTerraformVars ( opts . Config , opts . image )
2023-07-21 10:04:29 +02:00
tfOutput , err := runTerraformCreate ( ctx , cl , cloudprovider . GCP , vars , c . out , opts . TFLogLevel )
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2022-04-13 13:01:38 +02:00
}
2022-10-06 11:52:19 +02:00
2023-07-21 10:04:29 +02:00
return tfOutput , nil
}
2022-10-12 17:00:59 +02:00
2023-09-25 17:10:23 +02:00
func ( c * Creator ) createAzure ( ctx context . Context , cl tfResourceClient , opts CreateOptions ) ( tfOutput state . Infrastructure , retErr error ) {
2023-08-02 10:36:55 +02:00
vars := azureTerraformVars ( opts . Config , opts . image )
2022-11-15 14:00:44 +01:00
2023-07-21 10:04:29 +02:00
tfOutput , err := runTerraformCreate ( ctx , cl , cloudprovider . Azure , vars , c . out , opts . TFLogLevel )
2022-10-11 12:24:33 +02:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2022-04-13 13:01:38 +02:00
}
2023-07-21 10:04:29 +02:00
if vars . GetCreateMAA ( ) {
2023-03-20 13:33:04 +01:00
// Patch the attestation policy to allow the cluster to boot while having secure boot disabled.
2023-07-31 10:53:05 +02:00
if tfOutput . Azure == nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , errors . New ( "no Terraform Azure output found" )
2023-07-31 10:53:05 +02:00
}
if err := c . policyPatcher . Patch ( ctx , tfOutput . Azure . AttestationURL ) ; err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2023-03-20 13:33:04 +01:00
}
}
2023-07-21 10:04:29 +02:00
return tfOutput , nil
2022-04-13 13:01:38 +02:00
}
2022-09-26 15:52:31 +02:00
2023-06-02 10:47:44 +02:00
// policyPatcher interacts with the CSP (currently only applies for Azure) to update the attestation policy.
type policyPatcher interface {
2023-03-20 13:33:04 +01:00
Patch ( ctx context . Context , attestationURL string ) error
}
2022-10-13 17:38:38 +02:00
// The azurerm Terraform provider enforces its own convention of case sensitivity for Azure URIs which Azure's API itself does not enforce or, even worse, actually returns.
// Let's go loco with case insensitive Regexp here and fix the user input here to be compliant with this arbitrary design decision.
var (
caseInsensitiveSubscriptionsRegexp = regexp . MustCompile ( ` (?i)\/subscriptions\/ ` )
caseInsensitiveResourceGroupRegexp = regexp . MustCompile ( ` (?i)\/resourcegroups\/ ` )
caseInsensitiveProvidersRegexp = regexp . MustCompile ( ` (?i)\/providers\/ ` )
caseInsensitiveUserAssignedIdentitiesRegexp = regexp . MustCompile ( ` (?i)\/userassignedidentities\/ ` )
caseInsensitiveMicrosoftManagedIdentity = regexp . MustCompile ( ` (?i)\/microsoft.managedidentity\/ ` )
caseInsensitiveCommunityGalleriesRegexp = regexp . MustCompile ( ` (?i)\/communitygalleries\/ ` )
caseInsensitiveImagesRegExp = regexp . MustCompile ( ` (?i)\/images\/ ` )
caseInsensitiveVersionsRegExp = regexp . MustCompile ( ` (?i)\/versions\/ ` )
)
2022-10-12 17:00:59 +02:00
2023-07-21 10:04:29 +02:00
func normalizeAzureURIs ( vars * terraform . AzureClusterVariables ) * terraform . AzureClusterVariables {
2022-10-13 17:38:38 +02:00
vars . UserAssignedIdentity = caseInsensitiveSubscriptionsRegexp . ReplaceAllString ( vars . UserAssignedIdentity , "/subscriptions/" )
vars . UserAssignedIdentity = caseInsensitiveResourceGroupRegexp . ReplaceAllString ( vars . UserAssignedIdentity , "/resourceGroups/" )
vars . UserAssignedIdentity = caseInsensitiveProvidersRegexp . ReplaceAllString ( vars . UserAssignedIdentity , "/providers/" )
vars . UserAssignedIdentity = caseInsensitiveUserAssignedIdentitiesRegexp . ReplaceAllString ( vars . UserAssignedIdentity , "/userAssignedIdentities/" )
vars . UserAssignedIdentity = caseInsensitiveMicrosoftManagedIdentity . ReplaceAllString ( vars . UserAssignedIdentity , "/Microsoft.ManagedIdentity/" )
vars . ImageID = caseInsensitiveCommunityGalleriesRegexp . ReplaceAllString ( vars . ImageID , "/communityGalleries/" )
vars . ImageID = caseInsensitiveImagesRegExp . ReplaceAllString ( vars . ImageID , "/images/" )
vars . ImageID = caseInsensitiveVersionsRegExp . ReplaceAllString ( vars . ImageID , "/versions/" )
2022-10-12 17:00:59 +02:00
return vars
}
2023-09-25 17:10:23 +02:00
func ( c * Creator ) createOpenStack ( ctx context . Context , cl tfResourceClient , opts CreateOptions ) ( infraState state . Infrastructure , retErr error ) {
2023-02-27 18:19:52 +01:00
if os . Getenv ( "CONSTELLATION_OPENSTACK_DEV" ) != "1" {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , errors . New ( "Constellation must be fine-tuned to your OpenStack deployment. Please create an issue or contact Edgeless Systems at https://edgeless.systems/contact/" )
2023-02-27 18:19:52 +01:00
}
2023-04-14 14:15:07 +02:00
if _ , hasOSAuthURL := os . LookupEnv ( "OS_AUTH_URL" ) ; ! hasOSAuthURL && opts . Config . Provider . OpenStack . Cloud == "" {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , errors . New (
2023-02-27 18:19:52 +01:00
"neither environment variable OS_AUTH_URL nor cloud name for \"clouds.yaml\" is set. OpenStack authentication requires a set of " +
"OS_* environment variables that are typically sourced into the current shell with an openrc file " +
"or a cloud name for \"clouds.yaml\". " +
"See https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html for more information" ,
)
}
2023-08-02 10:36:55 +02:00
vars := openStackTerraformVars ( opts . Config , opts . image )
2023-07-21 10:04:29 +02:00
2023-09-25 17:10:23 +02:00
infraState , err := runTerraformCreate ( ctx , cl , cloudprovider . OpenStack , vars , c . out , opts . TFLogLevel )
2023-07-21 10:04:29 +02:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2023-02-27 18:19:52 +01:00
}
2023-09-25 17:10:23 +02:00
return infraState , nil
2023-07-21 10:04:29 +02:00
}
2023-09-25 17:10:23 +02:00
func runTerraformCreate ( ctx context . Context , cl tfResourceClient , provider cloudprovider . Provider , vars terraform . Variables , outWriter io . Writer , loglevel terraform . LogLevel ) ( output state . Infrastructure , retErr error ) {
2023-07-21 10:04:29 +02:00
if err := cl . PrepareWorkspace ( path . Join ( "terraform" , strings . ToLower ( provider . String ( ) ) ) , vars ) ; err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2023-02-27 18:19:52 +01:00
}
2023-07-21 10:04:29 +02:00
defer rollbackOnError ( outWriter , & retErr , & rollbackerTerraform { client : cl } , loglevel )
2023-08-21 10:26:53 +02:00
tfOutput , err := cl . ApplyCluster ( ctx , provider , loglevel )
2023-02-27 18:19:52 +01:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2023-02-27 18:19:52 +01:00
}
2023-07-21 10:04:29 +02:00
return tfOutput , nil
2023-02-27 18:19:52 +01:00
}
2023-04-14 14:15:07 +02:00
type qemuCreateOptions struct {
source string
CreateOptions
}
2023-09-25 17:10:23 +02:00
func ( c * Creator ) createQEMU ( ctx context . Context , cl tfResourceClient , lv libvirtRunner , opts qemuCreateOptions ) ( tfOutput state . Infrastructure , retErr error ) {
2022-11-15 14:00:44 +01:00
qemuRollbacker := & rollbackerQEMU { client : cl , libvirt : lv , createdWorkspace : false }
2023-04-14 14:15:07 +02:00
defer rollbackOnError ( c . out , & retErr , qemuRollbacker , opts . TFLogLevel )
2022-10-05 09:11:30 +02:00
2023-06-01 12:33:06 +02:00
// TODO(malt3): render progress bar
2022-11-22 18:47:08 +01:00
downloader := c . newRawDownloader ( )
2023-04-14 14:15:07 +02:00
imagePath , err := downloader . Download ( ctx , c . out , false , opts . source , opts . Config . Image )
2022-11-22 18:47:08 +01:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , fmt . Errorf ( "download raw image: %w" , err )
2022-11-22 18:47:08 +01:00
}
2023-04-14 14:15:07 +02:00
libvirtURI := opts . Config . Provider . QEMU . LibvirtURI
2022-10-05 09:11:30 +02:00
libvirtSocketPath := "."
switch {
// if no libvirt URI is specified, start a libvirt container
case libvirtURI == "" :
2023-04-14 14:15:07 +02:00
if err := lv . Start ( ctx , opts . Config . Name , opts . Config . Provider . QEMU . LibvirtContainerImage ) ; err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , fmt . Errorf ( "start libvirt container: %w" , err )
2022-10-05 09:11:30 +02:00
}
2022-10-07 09:38:43 +02:00
libvirtURI = libvirt . LibvirtTCPConnectURI
2022-10-05 09:11:30 +02:00
// socket for system URI should be in /var/run/libvirt/libvirt-sock
case libvirtURI == "qemu:///system" :
libvirtSocketPath = "/var/run/libvirt/libvirt-sock"
// socket for session URI should be in /run/user/<uid>/libvirt/libvirt-sock
case libvirtURI == "qemu:///session" :
libvirtSocketPath = fmt . Sprintf ( "/run/user/%d/libvirt/libvirt-sock" , os . Getuid ( ) )
// if a unix socket is specified we need to parse the URI to get the socket path
case strings . HasPrefix ( libvirtURI , "qemu+unix://" ) :
unixURI , err := url . Parse ( strings . TrimPrefix ( libvirtURI , "qemu+unix://" ) )
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , err
2022-10-05 09:11:30 +02:00
}
libvirtSocketPath = unixURI . Query ( ) . Get ( "socket" )
if libvirtSocketPath == "" {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , fmt . Errorf ( "socket path not specified in qemu+unix URI: %s" , libvirtURI )
2022-10-05 09:11:30 +02:00
}
}
metadataLibvirtURI := libvirtURI
if libvirtSocketPath != "." {
metadataLibvirtURI = "qemu:///system"
}
2022-09-27 09:22:29 +02:00
2023-08-02 10:36:55 +02:00
vars := qemuTerraformVars ( opts . Config , imagePath , libvirtURI , libvirtSocketPath , metadataLibvirtURI )
2023-07-21 10:04:29 +02:00
2023-06-28 14:42:34 +02:00
if opts . Config . Provider . QEMU . Firmware != "" {
vars . Firmware = toPtr ( opts . Config . Provider . QEMU . Firmware )
}
2022-09-26 15:52:31 +02:00
2023-07-21 10:04:29 +02:00
if err := cl . PrepareWorkspace ( path . Join ( "terraform" , strings . ToLower ( cloudprovider . QEMU . String ( ) ) ) , vars ) ; err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , fmt . Errorf ( "prepare workspace: %w" , err )
2022-11-15 14:00:44 +01:00
}
// Allow rollback of QEMU Terraform workspace from this point on
qemuRollbacker . createdWorkspace = true
2023-08-21 10:26:53 +02:00
tfOutput , err = cl . ApplyCluster ( ctx , opts . Provider , opts . TFLogLevel )
2022-10-11 12:24:33 +02:00
if err != nil {
2023-09-25 17:10:23 +02:00
return state . Infrastructure { } , fmt . Errorf ( "create cluster: %w" , err )
2022-09-26 15:52:31 +02:00
}
2023-07-21 10:04:29 +02:00
return tfOutput , nil
2022-09-26 15:52:31 +02:00
}
2023-06-22 16:53:40 +02:00
func toPtr [ T any ] ( v T ) * T {
return & v
}